HOW CAN FIRMS INSURE AGAINST AFFINITY FRAUD?
By Dennis A. Stubblefield and Jack Jennings
The short answer is, “Not through any carrier we know.” It is likely that already-stressed broker-dealer professional liability insurance will be found to be either non-responsive or woefully inadequate. However, firms---and we are focusing on independent-contractor broker-dealers---can do a lot to prevent, manage and mitigate the risks of affinity fraud, and other major retail-based threats.
- Former SEC Enforcement lawyer Dennis A. Stubblefield is a partner at Shustak Reynolds & Partners, P.C. The focus of his practice is representing independent contractor broker-dealers, their reps and others in securities enforcement matters; he also serves an expert witness in securities-related matters. He is Adjunct Professor of Law at Western State College of Law, where he teaches Securities Regulation and Business Law Ethics.
Jack Jennings is an Executive Vice President with Willis New York Metro and an Adjunct Professor at St. John’s University School of Risk Management. He has over 38 years’ experience in insurance brokerage and risk advisory services, particularly serving financial services clients, including independent contractor broker-dealers.
[Authors’ acknowledgment: we wish to recognize and thank Mark Quinn for his substantial and helpful contributions to this article, and Paris Novinni for her research and editing]
In the Relationship Business, the Line Between Good and Evil is Often Blurry
First, some very obvious points which still bear emphasis. Financial advice is a relationship-based business. Despite the advent of "robo-advisors" and other tech-driven models, good old-fashioned human-to-human interaction still matters, and matters big time.
People like to do business with people they like, and trust. This sales and marketing adage is perhaps even more compelling in today's environment where genuine human engagement is too often the exception, not the rule. However, the vast majority of well-run firms has always understood the value of, and has rightfully encouraged reps to build, solid, long-term relationships in their local communities.
Problem is: fraudsters also understand the "like and trust" truism, and they use and abuse their apparent "relationships" with customers on a daily basis, in crimes ranging from identity theft to affinity fraud. The SEC warns that affinity fraud scams "...exploit the trust and friendship that exist in groups of people who have something in common." Yet, affinity fraud, though recognized as a distinct species of fraud---church-based affinity fraud is perhaps the most visible---is at bottom just a larger, more structured form of the classic abuse-of-trust fraud which can happen in any relationship.
So it seems there is a sort of continuum. At one end is the "model citizen rep" who employs great, healthy relationships to drive value for her clients: yes, she's making money, maybe even big money, but such compensation is largely derivative of outstanding value transparently and effectively delivered to clients in a manner which is unlikely to get the attention of either regulators or plaintiffs' counsel. At the other end is the predator in soothing advisor's clothing---whether a Series 7, an RIA or an unregistered promoter/entrepreneur---who wrongfully manipulates relationships, typically feigning "friendship" and trust as the familial foundation which can serve as the gateway to client abuse, whether on a one-on-one basis, or, as part of a broader affinity fraud within a local church or group.
And then... there is everyone and every transaction in between. We have little doubt that the compliance and supervision professionals of the good firms earn their pay and then some daily in assessing where various players and transactions fit into this continuum in a very fast moving market, and what, if anything, firms can do to prevent fraud before it hatches or spreads.
The stakes are high: A 2012 study by the Stanford Financial Fraud Research Center and Finra estimated that overall investor losses caused by fraud top $40 to $50 billion per year. And this figure may not take into account the true cost to firms as a result of such wrongdoing, ranging from monetary payouts to investors and regulators, to out-of-pocket legal/compliance expenses to wasted management time dealing more with litigation management than revenue generation.
In the seemingly constant battle between good firms/reps v. fraudsters and bad apple reps, it seems obvious that those firms with better information and tools will tend to do better.
In the Relationship Business, Due Diligence includes Knowing Your Customers
Two of the most well-known phrases in our business are "Know Your Customer" and "Due Diligence." Most of us think about the above two concepts separately. Yet, they share a fundamental element in common: the requirement of reasonable care and effectiveness in learning, evaluating, and using important information. Thinking about these maxims, and how they work together, seems useful in guiding IBDs today.
"Due Diligence" encompasses more than just vetting new products, and, for example, being able to demonstrate reasonable compliance in view of NTM 10-22 and its predecessors. At its core, "due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party."
Similarly, the term "Know Your Customer" in the IBD space should mean more than the obligations of the well-known NYSE and Finra rules over the years. It should encompass firms knowing and understanding their business model customers, i.e., the OSJs and the registered reps who are the actual revenue producers.
Finra's David Greene has said that firms should think of product due diligence not merely as a Finra-imposed obligation but also as common-sense process to discharge smart, prudent business practices [“Finra: Fiduciary Standards, Examination and Enforcement Program Priorities,” panel presentation at National Regulatory Services Fall Conference, with Dennis A. Stubblefield, October 2013]. Sandy Bolton of Pershing and others have termed this "operational due diligence."
"Good Compliance is Good Business" comes to mind here. This well-known maxim, coined by the former GC of Merrill Lynch & Co., Steve Hammerman, is more than a nice aspirational catchphrase. We submit that it is true, but perhaps only when firms design and discharge compliance smartly. The better that firms know their customers---their business-side revenue producers, as well as those producers' clients---the better those firms can design a great structure and execute within it. The better that operational due diligence is done across the board, the more such firms will improve their long-term results for all of their customers and themselves. Combine the two---deep understanding of customers and superior operational due diligence---and firms have the best shot possible to prevent, detect, and mitigate affinity fraud and other major risks.
In the Relationship Business, Connecting the Dots Matters
The following are some suggestions on how to achieve excellent operational due diligence, including smart compliance and risk management---up front, with good contracts, system and process and insurance; mid-stream, with smart ways to manage the business, its customers and its risks; and back-end, with practical and creative approaches to litigation and regulatory threats. The watchwords here are common sense, accountability, and, of course, great relationships. The long-term goal is to have a seamless structure, system and process where firms can connect the dots and stay ahead of the curve.
Up Front: Contracts, System and Process, and Insurance
- Good contracts. Firms may not have much leverage with clearing and selling agreements, but they do call the shots with their own rep and OSJ contracts. Firms should consider pushing the envelope as much as possible in the design and drafting of their own agreements: put in very solid compliance-related obligations without threatening the independent contractor status. 14 years ago in the SunAmerica system we contractually required that reps make available all records related to their outside businesses, and this was enforced through the branch exam process. Whether firms do this by contract, or by policy and procedure adherence, they must be able to demonstrate the right and the ability to monitor and do appropriate follow-up on OBA compliance, and the execution of this functionality. Given the risk that unauthorized activity poses to broker-dealers, firms should consider review of advisors' tax returns, on either a random or periodic basis. This may be particularly warranted in cases where a rep’s lifestyle does not seem consistent with the income that the firm can identify. In our experience, bad actors are less likely to lie to the IRS than to their employers, and the mere fact that the firm may review tax returns might encourage reps to reconsider their involvement in unauthorized activities. If privacy and data protection are the issue---and these are serious concerns---then firms need to find ways to protect this information. If reps still push back, claiming client confidentiality and/or broker-dealer overbearance, then firms should redouble their efforts to prove this value proposition; some reps may still resist, but firms should be prepared to cut loose those who simply can't or won't "get it".
- Good System and Process. Adherence to law and regulation, including the federal securities laws and Finra's rules (including its new supervision rules) is of course necessary, but is often not sufficient for effective risk management, and sometimes not enough to demonstrate reasonable supervision in situations involving previously-existing "red flags." Firms should take time to design and develop a truly effective overall process which fits particular firm business models. Here any number of facets warrant detailed discussion, but perhaps one of the most important, and timely, is the importance of a tight, compliant recruiting and hiring process:Vet prospective representatives carefully before hiring them. History doesn’t always repeat itself, but it often rhymes. If a recruit has had legal or regulatory issues at a former firm, a hiring firm needs to know and understand the background of those issues and make an informed decision about whether to hire the representative. Past customer complaints, regulatory inquiries, and credit issues such as liens, judgments or unpaid taxes are red flags that need to be reviewed carefully. In addition, it is important for firms to understand the business model of the representative and the profile of his or her client base. If the demographic makeup of an advisor’s book is retirees whose portfolios are full of 30-year bonds, consider what effect a rise in interest rates will have on the value of their investments. Try to avoid inheriting problems with securities that were purchased at another firm in a different environment. Finra's New Hiring Rules should be viewed as setting out the minimum amount which firms should want to invest in this critical aspect of running a tight shop. Many firms have specific criteria or standards for which recruits they will or will not hire and management committees which must approve deviations from those standards. These approaches will not only help assure that the firm does not hire problematic individuals, but also establish that the firm has made a good-faith attempt and taken reasonable steps to monitor the process. It is almost axiomatic that the firm and the supervisor do not always have to be right, but they do have to act reasonably.
- Good Insurance. Firms often do not have much leverage to materially change basic professional liability coverage, but there are a number of factors which firms should be cognizant of in determining the types and amounts of insurance necessary.
Affinity Fraud limitation: Most BD professional liability policies have a per claim and annual aggregate limit of liability ($1mm per claim and $5mm aggregate would not be uncommon). In most cases of affinity fraud, the BD would have only the per claim limit ($1mm in our example) and that includes defense costs! This is due to the interrelated claims clauses in these policies that serve to group common claims into a single claim.
It is well known that these policies have what is commonly referred to as a "fraud and personal conduct exclusion." It is important to keep in mind that, under this exclusion, carriers may issue an outright denial of coverage (perhaps including defense costs) at the outset. This is because such exclusions may be triggered even before any eventual determination (whether by judgment or settlement) of fault or guilt. In contrast, most D&O policies contain what is known as a "final adjudication standard" which does require such ultimate determination of fault or guilt, before the fraud/personal conduct exclusion may be invoked. As a practical matter, however, the vast majority of E&O carriers will defend cases which include fraud claims (it seems nearly all major claims do) under a reservation of rights, particularly if the client/BD has been a loyal customer and "good citizen." All the more reason for firms to have an airtight system and process in place, ideally to prevent most situations from ever ripening into "claims" in the first place.
Another important difference between BD E&O policies and D&O policies is the typical definition of "claim." While "claim" in D&O policies generally includes threats posed by major regulatory investigations, e.g., by the SEC and the Department of Justice ("DOJ"), the term in E&O policies is generally much narrower. If any defense is provided for SEC, Finra and criminal investigations and the like, it is usually greatly constricted pursuant to tightly-drafted sub-limit provisions.
BD E&O policies also typically lack a severability provision meaning that there is no coverage for the good guy (the BD) when the bad guy (the rep) has been denied coverage.
Another policy becomes operative here: the fidelity bond. Good practice dictates a Registered Rep endorsement making clear that a rep's theft will be considered a theft from the BD even if the funds never entered the firm itself. Another caution here is to purchase enough insurance; BDs often rely on very low Finra requirements, especially since the fidelity bond premium cannot be directly charged to the reps like the E&O premium generally is.
Mid-Stream: Using Common Sense and All Resources to Connect the Dots
- Firms should, and do, avail themselves of the considerable data crunching resources of clearing firm reports etc. But one of the best ways to prevent affinity fraud, and ward off other major problems, is to learn up close and personal as much as you can about your reps, their overall business models, and, yes, their personal/family situations as well. A lot of BD Presidents would agree that this is a job not only for direct supervisors and compliance staff, but the most senior leaders in the firm, including themselves. And consider "Management by Walking Around," which involves home office staff checking in with reps on an unstructured, spontaneous basis. Within a far-flung independent system, this will often involve phone and video conferences rather than face-to-face visits. Whatever the medium, firms can learn a wealth of details in this type of communication and interaction.
- Given the likelihood of continuing low interest rates, and the continuing hyper-competitive market for financial advice, individual investors will still be desperate for good yields, and reps will be hungrier than ever for business. In this setting, OBA and Rule 3040 compliance is obviously key, and affinity fraud often involves selling away. Remember that Finra says that if firms get the forms, their staff must read them, really understand them, follow up on red flags, and take reasonable steps to enforce applicable policies and procedures.
- Discharging such compliance need not involve running a police state. Perhaps one of the toughest jobs is for firms to ensure that their reps understand that it is in their own self-interest to have a vigilant home office compliance team on their side.
- Revenue possibilities often emerge in situations which are initially compliance challenges; sometimes a well-thought-out series of meetings and social interactions with a rep who seems to have a "problem" on her hands can yield new insights on how the rep can increase business, and do so in a savvy manner which mitigates risk.
- Consider a "Howey" primer and continuous educational and training reinforcement of just how incredibly broad the notion of a "security" is. When in doubt, assume any "program" which involves making money with any sort of passive capital constitutes a security and therefore necessitates adherence to Rule 3040.
- "Do the Write Thing": assume everything which is reduced to writing will turn up in litigation and/or in the hands of the regulators. Especially with e-mails, reps should not write anything which they wouldn't want published on page 1 of the New York Times. Firms should train their troops in the basics of good writing and good English usage; it will stand them in good stead.
- Firms and reps should hold themselves out as wholly accountable for discharging their respective jobs; when a firm and/or rep don't measure up, they should be frank, forthright and consistent in owning up, apologizing, fixing and moving on.
- "Play your Cards Well:" Like it or not, and regardless of the future of Cards itself, the era of big data used by big regulators is here to stay. Susan Axelrod makes the point in her 2014 speech that firms can make good use of the proposed new system as well.
- Utilize Finra and Push it to Be Accountable. Axelrod and Rick Ketchum say that Finra is an open book, and that firms and their compliance staff should not hesitate to use Finra as a resource. And they continue to claim that if firms do this, Finra does not and will not play "regulatory gotcha". While we are well aware that many firm Presidents and others are skeptical of this stated approach by Finra, like it or not, firms are stuck w/ Finra as their primary regulator. So, it seems logical that it is in firms' self-interest to at least utilize Finra to the greatest extent possible. Of course, firms need to keep in mind that, notwithstanding Finra's offer of compliance support, it has a job to do on the enforcement side; again use diligence and common sense---with active assistance from firms' Legal and Compliance support---in assessing the efficacy of how much transparency and cooperation can and should be given to Finra at particular points in time.
- And don't forget the importance of managing and mitigating negative aspects of various conflicts of interest. Finra's lengthy Fall 2013 report hasn't been in the headlines lately, but all you need to do is to review Carlo di Florio's fall 2014 speech to recognize that this area is still very much front and center for Finra (some argue forcefully that Finra has its own fundamental conflict of interest: that of being a compliance resource and partner of firms, as well as the cop on the beat).
- Avoid risky practices that might cause losses:
- Insurance is not a panacea. Even if a firm recovers losses from its insurer, it will never be restored to the pre-litigation status [think distractions from growing the business, portions of losses that aren’t covered and higher subsequent premiums]. Or how about reputation? That can’t be insured.
- Even when a firm thinks it is insured, laxity could leave it bare. An example is the “Three Strikes” exclusions that some insurers have introduced to policies. This automatically excludes coverage for any rep who has any combination of three regulatory violations, insurance claims, and/or customer settlements/awards. The more that firms keep current in their knowledge of their business-side customers, the less likely they will find themselves surprised later with a "Three Strikes" or similar problem.
Back End: Smart Approaches to Litigation and Regulatory Threats
- Litigation and Regulatory are now nearly completely converged. An substantial percentage of customer complaints (including arbitrations) are accompanied by at least a Finra Rule 8210 request following the negative CRD disclosure. There is similar overlap with SEC investigations. Most anything firms and reps do on one side will implicate and often affect outcomes on the other.
- Cooperation, cooperation, and then more cooperation. It is notable that in Finra's Jan. 2015 guidance to firms, it prefaces the substantive areas by pointing out a fundamental process concern: its assessment that more and more recipients of its Rule 8210 and other requests are dragging their feet and/or blowing Finra off on furnishing information and documents on a timely basis. Firms simply cannot scrimp in this area. And even if the production is timely, it must be pristine. Never snatch virtually certain defeat from potential victory by taking even what seems to be the most trivial, minor liberties or shortcuts with the production of documents and furnishing of information. Particularly in the current hyper-criminalized environment of securities enforcement, Finra, SEC and DOJ continue to be relentless and unforgiving for any behavior which they perceive to constitute misleading their agencies and/or obstructing their processes.
- As part and parcel of cooperation, consider the strategic use of internal investigations in dealing with the regulators. Contrary to popular myth, internal investigations need not necessarily consume exorbitant dollars or even always by conducted by outside counsel. True, in all cases, and especially in major SEC/DOJ investigations, the more independent the investigation, the better, and Seaboard is still considered the gold standard of guidance. However, many BD regulatory challenges, though serious, are more much more limited in scope. We suspect that firms will be surprised by the range of cost-effective options for internal investigations, and the positive reception which the regulators will give to the presentation of such efforts, many of which consist merely of oral presentations to the Staff, rather than extensive written reports.
- In the nineties, the ABA reported that GCs of major companies were mandating that their outside counsel be "lean, mean, settling machines." Since then, for both public and private companies, and particularly for broker-dealers, the overall cost of Litigation and Regulatory has only increased. We recommend that firms take a long, hard look at whether they can smartly settle various claims well beneath the applicable retention level in their professional liability policies. Our experience over the years says that the regulators often view such efforts positively (for example, the firm can state that it has made the customer whole, without making her go through hell in the process). This approach often represents smart business strategy and operational effectiveness (by entering into a decent settlement early on and thus letting business-side personnel focus on making money for the firm rather than being distracted by litigation).
- However, please note:Firms need to get their professional liability insurer on board with whatever claims resolution/litigation strategy is decided here:
- First, insurers don’t entirely relinquish control of claims beneath the self-insured retention (lest they become out of control by the time they exceed the retention).
- Next, insurers have a vested interest in their insureds' strategy. For instance, they might see the "settle-early-approach" as one which paints a large target on the BD’s back.
- Finally, good communication channels with the decision makers of the insurer’s claims department is necessary. When firms and reps do decide that a fast settlement is best, they do not want to be caught in a bureaucratic claims review process. Regulators generally do not care about a firm's insurance issues, and settlement without the insurer’s consent could jeopardize latent claims that arise from “interrelated wrongful acts” (meaning, for purposes of the insurance policy, that they are part of one claim, and thus the firm may have violated the obligation to obtain the insurer’s consent beforehand). Affinity fraud cases – if they are covered by professional liability insurance at all – are a classic case of a single interrelated wrongful act, i.e., a single claim.
- And, don't forget that firms are customers too. Everyone---outside counsel, compliance consulting shops, insurance carriers, and the regulators themselves---should and must be accountable for knowing, and serving, their customers and constituents. For example, senior management at both the SEC and Finra have told firms and individuals to take gripes up the line with these regulators if necessary; we understand that in practice this may be hard to achieve, but firms should hold them to their word. If an attorney claims that she does "regulatory," find out a little more about what that means, and how much experience she has, for example, in protracted and multi-faceted matters, more than just handling Rule 8210 responses or occasional OTRs. Similarly, firms should make sure that their carriers really "get it" in terms of customer intimacy. For example, firms and reps should put carriers on notice that it is not acceptable to wait until the night before a mediation to finally pull the irrevocable trigger on an exclusion which was so artfully included in the reservation of rights letter at the outset.
In the Relationship Business, Smart Self-Interest is the Key
As the industry moves closer to being held to some notion of a fiduciary obligation toward its customers (see Rick Ketchum's most recent remarks on this), there will be all the more compelling reasons for firms to design, adopt, implement and monitor air-tight systems and processes to prevent and mitigate fraud. Whether seen as fiduciaries or counter-parties, firms and their troops have a clear, compelling self interest in discharging the diligence necessary to really know their customers. If they get it right, then that will go a long way in having their interests as aligned as possible with those of their end-point retail clients.